Hello, I'm Maneshwar. I'm working on FreeDevTools online currently building *one place for all dev tools, cheat codes, and TLDRs* — a free, open-source hub where developers can quickly find and use tools without any hassle of searching all over the internet.
Temporary directories like /tmp are often exploited by attackers or malware to drop executables, scripts, or encoded payloads.
Left unchecked, these files can be executed automatically or manually, leading to compromised systems.
This guide will explain how to find, analyze, and safely remove suspicious files, and prevent future attacks.
1. Understanding /tmp and Suspicious Artifacts
Linux uses /tmp as a writable directory for temporary files. Normally, it contains:
-
.X11-unix,.ICE-unix— X11 sockets -
.font-unix— font cache - Application caches (e.g.,
node-compile-cache,v8-compile-cache-*)
Suspicious files often include:
- Randomly named binaries:
ECRXk,zImZT - Base64-encoded payloads:
SKMIC.b64,ofMnf.b64 - Obfuscated scripts:
lrops.sh.backup* - Malicious plugins:
plugin<number>
These could be used for:
- Running malware or crypto miners
- Maintaining backdoors
- Exfiltrating data
- Creating persistence on reboot
2. Detecting Suspicious Files
Use ls and file commands to identify unusual files:
cd /tmp
ls -A | grep -vE '^mcfly\.|^systemd-private-'
This lists all files except normal system or application temp files.
Check the file type:
file ECRXk SKMIC.b64 ofMnf.b64
- ELF executables: Statically linked, often dropped by attackers
- ASCII text / Base64: Encoded payloads for hiding executables or scripts
Preview the content without executing:
head -n 20 ECRXk
base64 -d SKMIC.b64 | head -n 20
3. Checking Running Processes
Some of these temporary files might already be executing. Use:
ps aux | grep -E 'kcached|node-compile-cache|plugin'
Look for processes running from /tmp — legitimate applications rarely run from /tmp.
4. Checking Logs for Suspicious Activity
SSH logs, system logs, and cron logs can reveal unauthorized activity:
# Failed or successful SSH logins
sudo grep "Accepted" /var/log/auth.log*
# Deleted files still in use
sudo journalctl | grep deleted
# Cron jobs
sudo ls -l /etc/cron.*
5. Cleaning Up Suspicious Files
Remove any suspicious files safely:
sudo rm -f /tmp/ECRXk /tmp/SKMIC.b64 /tmp/ofMnf.b64 /tmp/Ncaq5gszlR
sudo rm -f /tmp/lrops.sh.backup* /tmp/pgrestore /tmp/zImZT
sudo rm -f /tmp/plugin*
Check /tmp again to confirm:
ls -A /tmp | grep -vE '^mcfly\.|^systemd-private-'
6. Checking for Persistence
Attackers may try to survive reboots using:
-
Cron jobs: Check
/etc/cron.*directories -
Systemd services:
systemctl list-units --type=service -
User shell scripts:
.bashrc,.profile,.bash_profile
Example to check user cron jobs:
for u in $(cut -d: -f1 /etc/passwd); do
echo "Cron jobs for $u:"
crontab -l -u $u 2>/dev/null
done
7. Preventing Future Infections
-
Restrict
/tmpexecution:
mount -o remount,noexec,nosuid,nodev /tmp
- Audit cron jobs and user keys:
sudo for u in $(cut -d: -f1 /etc/passwd); do cat ~$u/.ssh/authorized_keys; done
-
Regular log reviews:
journalctl,auth.log -
Install malware scanners: e.g.,
Lynis,rkhunter,chkrootkit
8. Conclusion
Temporary directories can be exploited for persistent malware.
Regular monitoring of /tmp, checking file types, reviewing logs, and removing suspicious files are essential to secure your Linux system.
By following the steps in this guide, you can detect, analyze, and safely remove hidden threats like kcached, encoded binaries, or rogue plugins.
I’ve been building for FreeDevTools.
A collection of UI/UX-focused tools crafted to simplify workflows, save time, and reduce friction in searching tools/materials.
Any feedback or contributors are welcome!
It’s online, open-source, and ready for anyone to use.
👉 Check it out: FreeDevTools
⭐ Star it on GitHub: freedevtools
Top comments (0)